GUEST ESSAY: A roadmap to achieve a better balance of network security and performance

By Sashi Jeyaretnam

Here’s a frustrating reality about securing an enterprise network: the more closely you inspect network traffic, the more it deteriorates the user experience.

Related: Taking a risk-assessment approach to vulnerabilities

Slow down application performance a little, and you’ve got frustrated users. Slow it down a lot, and most likely, whichever knob you just turned gets quickly turned back again—potentially leaving your business exposed.

It’s a delicate balance. But there’s something you can do to get better at striking it: build that balance into your network testing and policy management.

Navigating threats

Why do so many businesses struggle to balance network security and user experience? Because recent trends create new challenges on both sides of the equation. Trends like:

More distributed users and applications. Even before COVID, enterprises saw huge increases in people working outside the traditional corporate firewall. Today, users could be working anywhere, accessing applications and data from any number of potential vulnerable public and private clouds. It adds up to a much larger potential attack surface.

•More dynamic environments. Security has always been a moving target, with new threat vectors emerging all the time. Today though, the enterprise network itself changes just as frequently. With software-defined networks, shifting cloud infrastructures, and continuous integration/continuous delivery (CI/CD) pipelines, the network you have today might look very different tomorrow.

•Pervasive encryption: Most application and Internet traffic is now encrypted by default, making it much harder to secure the network from malicious traffic. Inspecting encrypted traffic adds significant latency—sometimes cutting application performance literally in half. If you don’t have much higher-performing security controls than you’ve used in the past, your latency-sensitive applications can become effectively unusable.

These are big challenges, and most organizations are still searching for answers. For example, half of enterprise firewalls capable of inspecting encrypted traffic don’t have that feature turned on due to performance concerns. You might preserve user Quality of Experience (QoE) that way, but you’re leaving your business vulnerable.

A smarter approach

Jeyaretnam

The constant push and pull between security and performance isn’t an anomaly. It’s baked into network threat defense, and no miracle tool is coming that will make the problem go away. But that doesn’t mean you can’t do something about it. In fact, the smartest thing to can do is just acknowledge it will always be a problem—and adapt your change management processes to reflect that. You do that via synthetic testing.

Using modern emulation assessment tools, you can deploy test agents at strategic points in your environment (within the on-premises network, in public and private clouds, at branch offices, and more) to simulate the network topology. You can then inject emulated traffic to test the performance limits of your network devices, web applications, and media services with all security controls engaged.

With this approach, you can establish a baseline for application performance on the network and ensure that user QoE remains good, even with network threat controls fully engaged. You can identify the right mix and size of security solutions to deploy and validate that you’re getting what you paid for. Then—and this is the key—you can proactively verify performance and security against the established baseline every time something changes in the network.

Balancing security and QoE

This approach is already widely used by organizations that can’t tolerate performance problems, such as service providers and financial enterprises in areas like high-speed trading. Given the steady growth of cyberthreats, encryption, and distributed users and applications, enterprises in every industry should be following their lead.

If you’re ready to implement continuous testing, here are four principles to keep in mind:

•Look beyond vendor data sheets. Enterprises often devote significant effort evaluating network security solutions prior to implementation, but surprisingly little to validating their performance once deployed. That’s a good way to get surprised. In too many cases, network and security organizations don’t even realize they have a performance problem until users start complaining.

•Emulate your unique environment. Even when a security vendor’s reported specs reflect reality, they’re based on ideal conditions—not your network. As you design your test scenarios, make sure you’re emulating the real-world production environment, with all applications and security controls configured as they will be for real users. You can then drill down into exactly what throughput looks like, what latencies different network applications are experiencing, and verify that you’re supporting your business practice.

•Think like an attacker. Along those lines, to validate security efficacy, make sure you’re testing against a realistic set of threat vectors that you’re looking to protect against. Keep in mind, attackers won’t just send basic threats; they’ll use evasions and obfuscations to try to hide what they’re doing. Your network security simulations should do the same.

•Test and test again. The most important step you can take to balance network security and performance: adopt a posture of continuous assessment. Start by identifying your baseline—what the environment looks like when everything is working as it should, when the security controls that matter to your business are active, and your users have good  quality of experience, QoE. Then, test against that baseline every time something changes.

Whether it’s a new network security solution, a software upgrade, a policy or configuration update, or any other change, you should immediately measure the effects of that change on user experience. You can now identify problems right away—before your users. And, since you’re measuring performance from multiple points across your environment, you can quickly zero in on their cause.

By taking these steps, you may not permanently solve the problem of balancing network security and performance. But you’ve solved it for today—and you’ve put the tools and procedures in place to keep solving it in the future.

About the essayist: Sashi Jeyaretnam is Senior Director of Product Management for Security Solutions, at Spirent,  a British multinational telecommunications testing company headquartered in Crawley, West Sussex, in the United Kingdom.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone